Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I have this Wordpress page that a colleague of mine has been working on. The user has to be able to login in and upload some files. We are thinking about using this plugin for logging in
https://wordpress.org/plugins/profile-builder/
When logged in, the user has access to a page with a feature where he/she can select a file from his/her harddisk. The selected file should then be uploaded to an FTP server. When the upload is complete, the page should display a list of the files the user has already uploaded and have an option to delete each individual file.
I realise that this requires sending commands to the the FTP server (LIST, DELE, MKD etc).
I have considered making my on Node.js server and letting the server handle the FTP upload, but I am also thinking that there should be a Wordpress plugin for this. I have tried searching, but all I can find is instructions on how to use Wordpress' own FTP upload function to deploy a site, which is not particularly helpfull for me. Also, I don't have any experience with Wordpress, but have some web experience, so making sense of it shouldn't be difficult.
So have any of you guys done some similar before and maybe know a plugin? Or made your own server application for something like this?
Thank you.
Mains problems about upload by users in wp-upload is security, and the files type accepted by the wp uploader. It's better to use our own code, that sanitize the file following your parameters.
You can try:
https://wordpress.org/plugins/frontend-uploader/
or
https://wordpress.org/plugins/wp-file-upload/
Well this is fairly simple if you have some php skills. You dont even need any kind of ftp access. So here is a basic breakdown of how it should be done the "wordpress way".
1) Separate dashboard/user areas for different users (the page they see
after login)
Well its not a good idea to give users access to the backend/admin area and is not very user friendly as well, so you can look into theme-my-login plugin which does a great job of creating login pages and separate pages where users are redirected after login.
2) Then you need to have a upload area where users can upload the movies from their computer
For this you can look us wordpress attachment functions. You have functions for uploading, deleting etc. Just create a simple form and grab the uploaded file and pass them through these functions (you should look into sanitizing data properly / validation), you might also need to increase the size of uploaded files through php.ini etc.
wp_insert_attachment, wp_delete_attachment, wp_get_attachment_url
3) A repository of all movies uploaded by specific user
This is a piece of cake with user meta's. The above described attachment functions comes with action hooks, Hooks are like triggers that gets triggered when someone does some action. So once the attachment is uploaded, you can hook into that action and grab the id of the uploaded attachment, name of uploaded attachment etc and them save them to the logged in user's meta. Its better if you use an array of values and then encode them into json. This way a list of all user movies can be store in a single database entry, which would be very efficient.
For creating and updating user meta's you should this function update_user_meta, delete_user_meta, etc.
Now to show all movies by a user, you can use something like get_user_meta('movie_list')
Related
Information
I’m a bit new and want to create a site with these capabilities but don’t know where to start, please point out if I violated any rules or should write differently.
I’ll a bit specific here, so there is a web novel site where content is hidden behind a subscription.
So you would need to be logged into an account.
The novels are viewed through the site’s viewer which can not be selected/highlighted then copied.
Question
If you web scrape and download the chapters as .txt files then machine translated using like Google Translate, is there a way to track the uploader of the MTL or when the MTL file is shared?
Of similar nature there are aggregator sites that have non-MTL’d novels on them, but the translation teams have hidden lines which tell readers to go to their official site. The lines aren’t on the official site though, only when it has been copied. How is that possible?
I’ve slightly read about JWT, and I’m assuming they can find the user when they’re on the website but what about in the text?
Additional Question (if above is possible, don’t have to answer this just curious)
If it is possible to embed like some identifying token, is there a way to break it by perhaps converting it into an encrypted epub?
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
We're creating a new web app based in Node. As many apps do, we would like to restrict the number of users who sign up, so we can test and scale up smoothly. So, people would sign up (with an email address), and then when a batch of users are released (either manually or automatically), that batch would receive an email that would allow them to sign up.
I've seen this process a number of times on the user side, but have never been involved with building a beta queue system, so I'm not sure the best way to approach this from a architecture / code perspective. Some specific questions might be:
What would be the flow for signup from a Node perspective?
What might be the underlying data model?
For "time-released" or batch releases of users, what might be the best way to manage that or trigger it?
Are there are node modules that might help with this?
Any help appreciated.
I implemented something like this in a .Net / SQL Server setup.
Basically, the user table had a flag indicating that that user was a beta user and allowed access.
Then I modified the user authentication module to return a different error message indicating that the were signed up but they couldn't access the application yet. This would only show if they successfully authenticated like normal. You could also send them to a different landing page so it doesn't look like they used the wrong credentials.
Next you can provide an admin interface to kick off a script to set the beta flag on a batch of users. This should also trigger some type of notification to let the user know they have access.
For time released options, you could have something else trigger the batch script to set the flags, or have a monitor service that finds any users without access that signed up over X days ago.
I think a lot of this would need to be customized based on your application and when you want to release beta users. There are also some services out there that allow single sign-on and gather analytics about your beta users if you want to see more information without having to roll your own.
Hope this helps. It would be nice to see an actual module you could drop in and configure with your specific database, user model, and authentication / signup process.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Tumblr allows users to edit the HTML and CSS of their blogs through a Templating system. In fact, it even allows users to include their own external scripts into their pages. Doing this obviously opens a lot of security holes for Tumblr; however, it's obviously doing fine. What's even more interesting is how Tumblr's team managed to do all these through a LAMP Stack before.
One thing that I found out through pinging different Tumblr sites is that the blog sites are dispersed through multiple servers.
Nonetheless, hacking the root of just one of those servers could compromise a ton of data. Furthermore, while some could argue that Tumblr may just be doing manual checks on each of its blogging sites, it still seems pretty risky and unpractical for Tumblr's team to do so because of the amount of data that Tumblr has. Because of this, I think there are still some aspects that checking manually hasn't covered yet, especially in terms of how Tumblr's team filters their user input before it enters their database.
My main question: How does Tumblr (or any other similar site) filter its user input and thereby, prevent hacking and exploits from happening?
What is Tumblr.
Tumblr is a microbloggin service, which lets its users to post multimedia and short text blogs on their website.
Formating and styling blog
Every blog service lets its user to edit and share the content. At the same time they also let their users to style their blog depending on what type of service they are providing.
For instance, A company blog can never have a garden image as its background and at the same time a shopkeeper can never show a beach image; unless they are present at that place or include such objects in their work.
What Tumblr. does
Well, they just keep checking the files for any error!
As a general bloggin platform. It is necessary to allow the users to upload and style them blogs. And at the same time it is a job for the company to keep the control of how their service is used!
So Tumblr. keeps a great note on these things. They also donot allow to upload files that infect the system, and are well-known to delete such accounts if anything fishy is caught!
Tumblr. allows the users to upload files and multimedia that is used to style the blog. They used a seperate platform where to save all such files! So when you upload it, it does not get executed on their system. They access it from the server or from the hard drive which these files are saved on and then provide you with the blog that includes those files.
What would I do
I would do the same, I would first upload and save the files on a seperate place, where if executed they donot harm my system if are infected by a virus. Not all the users upload virus. But once they do, you should use an antivirus system to detect and remove the virus and at the same time block that account.
I would have let the users to use my service, now its user's job to upload content and its my job to prevent hacking.
All this stuff (HTML/CSS/External scripts) does not run on Tumblr machines. So to them it does not matter. One is responsible for the stuff that runs on your own PC. As to Javascript it lives in a sandpit
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I am working on an online video training website and i want to make secure my videos so that no one can download the videos. Can any one help me how can i restrict video download, i have tried different HTML5 and javascript players but none of these are providing this feature.
You can store the video files outside of the web root or inside a restricted directory. A user logs into the web application normally. Then you have a server side script that checks the users permissions and opens the file for the user.
Alternatively if there is no login then the player can request a token from the web application. This token is then used to access the file only once. This is the best you can do, of course an attacker can still save the file. A user will always be able to do this until the end of time, because thats how the Internet works.
you can create the file name longest enough as permitted by server (applies to photos as well)...cannot be saved even from a smart phone...make sure the file name long enough. Then use this encrypter:
http://www.dynamicdrive.com/dynamicindex9/encrypter.htm
Blend in the new code into your html.
Finally use additional scripting to disable right click (search internet for this free script).
Stream the video.. Hide the root from the server there's many ways to do that. Encrypt the file do all the right clicks off when over the stream. And for the end choose a very rare format! A normal user will give up. An advanced user will get it no matter what!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
i've always wanted to make some of our companies products open-source..but we have a lot of things in our source code that would make us vulnurable. How is this handled in most open source projects? For example, we use some custom web services to do actions to our database (Add accounts, delete accounts, ect). The source code would have to contain the key (password) we use to use the web service. If someone wanted, they could grab the source, get the key to use our web service, and wreck havoc on our database.
Are these just projects that should not be open source? Or is it common to just put the sensitive stuff in a file or something and not include that part? (Although doing this, would make the source kinda useless for the public since it would lose it's functionality).
Any links or resources on open-source projects and how this kinda stuff should be handled would be nice.
Thanks
Passwords and senstitive data are best not included the source file. If you look at the design of open-source software like PHPMyAdmin, a config file is provided to add in those information, and are usually stored in the root folder of the webhost (or anywhere outside www folder).
So the idea is that if your website use some info to link to a service, you should hide them away in a file as well and ask your user to provide the password and to create their own account.
Would it not be possible to put your sensible data into a configuration file? This will also allow other users to easily add their own sensitive information etc.
You should not include the sensitive data into the public, so one option could be to make a public API for the services, and then the users would need to create an account to get an API key for the data.
I don't think this should stop you from Open Source the products, but I think you need to rethink the way the data is handelend trough a public API.
If you're hardcoding a database password in your code, you're doing it wrong. As others have pointed out, you should store that in a separate and protected configuration file.
If you distribute your code, be it the source or just a binary, that password is out there and can be recovered by anyone that cares to do so. Hardcoded passwords in binaries are often a trivial matter for a hacker to recover.
Though program codes are open-source, your sensitive data is not. Never "provide" your data to others.
Normally, one-way hashing verification can already be used as basic encryption.
If extra security is needed, use an extra measure, like public & private keys & pre-shared passwords.